EU’s New Data Regulation Requires Action Now

Among the many new requirements contained in the EU’s new data regulation, set to take effect in May of 2018, is the right of citizens to demand that certain information about them be erased from the Internet, more commonly known as the ‘right to be forgotten.’

The countdown has begun. In May 2018, the European Union’s General Data Protection Regulation (GDPR) will come into force and impose sweeping new obligations on organizations and their handling of personal data. The rapporteur assigned by the European Parliament to lead the negotiations around the GDPR, Jan Philipp Albrecht, boldly declared that the new regulation “will change not only the European data protection laws but nothing less than the world as we know it.”

The harsh reality is that most companies—large and small—will struggle over the next 300 days to comply with the regulation’s myriad requirements.

Indeed, the scale of this task and its potential complexity was underscored earlier this month when Germany became the first EU member state to pass national legislation implementing the GDPR. While the GDPR will apply directly to the EU’s 28 member states, many of them are expected to adopt implementing legislation that will tailor certain aspects of the GDPR to their national laws. As an example, the just-passed German Data Protection Amendment Act imposes slightly different obligations with respect to the process for obtaining employee consent, for utilizing closed-circuit televisions to monitor security in publicly accessible spaces and for conducting scientific research.

Privacy as a Fundamental Right in Europe

Before looking forward, it is helpful to consider the historical context for these new laws. First, in the wake of World War II, Europeans enshrined the right of privacy as a fundamental human right in Article 8 of the European Convention of Human Rights.

Half a century later, the internet and the smartphone have changed the way that we live. With these new technologies, both companies and the government developed unprecedented abilities to track individuals’ profiles, aggregate consumer data and use algorithms to predict habits and preferences.

As these capabilities developed, however, so did a strong belief across Europe that privacy rights were being eroded. It is against this backdrop that European authorities felt compelled to act to limit, control and expose the sweeping collection and use of personal data.

The Core Elements of the GDPR

In elevating the rights of consumers, the GDPR represents a sea change in how companies will have to operate. While the regulation is nearly 100 pages long, four themes dominate its core

Individuals will have enhanced tools to protect their right of privacy.

Companies will be forced to reassess the manner in which they process and retain data.

Companies will need to review their contractual arrangements with a host of third parties.

Companies will be held to far stricter accountability and sanctions.

Those companies running afoul of GDPR provisions could incur fines of as much as 4 percent of their global turnover. According to Oliver Wyman research, fines and penalties in the first year may exceed $6 billion, for Financial Times Stock Exchange (FTSE) 100 companies alone.

Sweeping Jurisdiction

The GDPR’s reach potentially extends beyond the EU borders, as its focus is its citizens’ personal data. The GDPR applies to any organization that collects or processes personal data in connection with the offering of goods or services to EU citizens, or monitoring of such citizens’ behavior, regardless of where the organization is located. Accordingly, its data privacy protections, and requirements, follow wherever the data travels. In practice, the broad jurisdictional provisions mean that the GDPR’s complex regulations will have a global impact.

Breach Notification

For the first time, European companies will be required to notify regulatory authorities, and potentially consumers, in the event of a significant cyber breach. Following the Dutch implementation of a “mini-GPDR” in 2016, thousands of incidents were disclosed to the Dutch Data Protection Authority within months. Extrapolating this sample across the entire EU provides an early window into the likely ramifications for management teams and supervisory boards.

Executives should take ownership of cyber risk. Data security is not solely the responsibility of the IT department.

Data Security

The GDPR provides guidance on practices to protect data, such as delinking data from names (“pseudonymization”), encryption, regular assessments of technical controls and incident response plans for maintaining the confidentiality and integrity of data. To ascertain what controls are needed, companies will need to undertake privacy impact assessments and consider engaging external experts. Businesses can expect regulatory authorities, the media and individuals to scrutinize their data practices.

Affirmative Consent and the ‘Right to be Forgotten’

The GDPR prohibits any company from collecting personal data without first notifying users of how their data will be stored, processed and protected. It also requires that any individual consent obtained for processing data be “freely given, specific, informed and unambiguous.” This “affirmative consent” will potentially require users to click on a consent notice or take other measures to affirmatively demonstrate agreement to allow for the data collection.

The GDPR will also codify the “right to be forgotten,” which allows individuals to demand that personal data be deleted so that it cannot be searched online by third parties. European courts have already recognized that this right exists and currently are considering how broadly it can be applied on an extraterritorial basis.

Global Web of Cyber Regulation

Europe is far from the only government authority seeking to impose greater data and cyber protections on business. Earlier this year, the New York State Department of Financial Services adopted the most comprehensive set of cybersecurity requirements in the United States. The DFS regulation imposes new requirements around concepts such as multi-factor authentication for password protection, encryption at rest and protocols for patching software vulnerabilities (think the WannaCry and Petya attacks).

There is a growing awareness of the cybersecurity threat in Asia, as evidenced by China’s new cybersecurity law and its “data sovereignty” requirements. Given cybersecurity threats and this expanding matrix of new regulation, including the GDPR, business leaders may wish to consider one or more of the following steps:

Set a tone at the top of awareness and urgency. Executives should assert leadership regarding—and take ownership of—cyber risk. Data security is not the sole responsibility of the IT department. The threat is simply too great and cuts across multiple departments within organizations.

Identify translators. Too often, the technical team responsible for information technology (IT) security speaks a language the C-suite does not understand. Executives need to have translators in place who are able to understand both the technical requirements of the company’s systems and the reputational risk to the company’s brand.

Implement best practices. The WannaCry and Petya ransomware events drove home the importance of developing consistent protocols for patching known software flaws. The GDPR and other regulations will require a similar awareness around data processing and privacy issues. In addition to implementing security measures such as firewalls, penetration testing or “detonation” software, has your organization conducted a credible tabletop exercise simulating a cyber attack?

Start communicating with customers and shareholders now. Companies should prepare their stakeholders for an era of greater transparency and disclosure and the almost inevitable day when a cyber intrusion occurs. Help your customers understand how you collect and use their personal data, and how you are complying with regulations.

Make up for lost time. The penalties for noncompliance with the GDPR are severe. Executives should reach out to regulators, law enforcement authorities and policymakers—not so much to lobby, but rather to share insight, information and help shape the rules as they evolve.

No one has all the answers. Corporate leaders should act today to give their companies the best chance to adapt to a new world order that offers both great opportunity and substantial risk.

Peter J. Beshar

Executive Vice President and General Counsel for Marsh & McLennan Companies@PBeshar

Peter J. Beshar is executive vice president and general counsel for Marsh & McLennan Companies. He also oversees the company’s Government Relations, Risk Management and Legal and Public Affairs groups.